keypatch binary patcher for ida pro
play

KEYPATCH: binary patcher for IDA Pro - PowerPoint PPT Presentation

Jun 04, 2023 •137 likes •418 views

KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh <aquynh -at- gmail.com> Trada hacking - 16/9/2016 1 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro Who am I Nguyen Anh Quynh, aquynh

  1. KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh <aquynh -at- gmail.com> Trada hacking - 16/9/2016 1 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  2. Who am I Nguyen Anh Quynh, aquynh -at- gmail.com ◮ Nanyang Technological University, Singapore ◮ PhD in Computer Science ◮ Operating System, Virtual Machine, Binary analysis, etc ◮ Capstone disassembler: http://capstone-engine.org ◮ Unicorn emulator: http://unicorn-engine.org ◮ Keystone assembler: http://keystone-engine.org 2 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  3. Binary patching CrackMe, CTF challenges Malware analysis Modify binary without source code :-) 3 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  4. URLZone Banking Trojan 4 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  5. IDA Pro https://www.hex-rays.com De-facto binary analysis tool Extendable with plugin SDK (C, Python) 5 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  6. Built-in binary patcher of IDA Modify binary code with menu "Edit | Patch program | Assemble..." Save changes permanently to binary file ◮ Menu "Edit | Patch program | Apply patches to input file..." 6 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  7. How it work? 7 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  8. Problems of IDA built-in binary patcher 8 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  9. Keypatch Solution 9 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  10. Keystone == Next Generation Assembler Framework 10 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  11. Assembler framework Definition Compile assembly instructions & returns encoding as sequence of bytes ◮ Ex: inc EAX → 40 May support high-level concepts such as macro, function, etc Framework to build apps on top of it Applications Dynamic machine code generation ◮ Binary rewrite ◮ Binary searching 11 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  12. Good assembler framework? True framework ◮ Embedded into tool without resorting to external process Multi-arch ◮ X86, Arm, Arm64, Mips, PowerPC, Sparc, etc Updated ◮ Keep up with latest CPU extensions Multi-platform ◮ *nix, Windows, Android, iOS, etc Bindings ◮ Python, Ruby, Go, NodeJS, etc 12 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  13. Existing assembler frameworks Nothing is up to our standard, even in 2016! ◮ Yasm: X86 only, no longer updated ◮ Intel XED: X86 only, miss many instructions & closed-source ◮ Other important archs: Arm, Arm64, Mips, PPC, Sparc, etc? 13 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  14. Life without assembler frameworks? People are very much struggling for years! ◮ Use existing assembler tool to compile assembly from file ◮ Call linker to link generated object file ◮ Use executable parser (ELF) to parse resulted file for final encoding Ugly and inefficient Little control on the internal process & output Cross-platform support is very poor 14 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  15. "If not now, then when? If not you, then who?" - Kailash Satyarthi 15 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  16. 16 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  17. Timeline Indiegogo campaign started on March 17th, 2016 (for 3 weeks) ◮ 99 contributors, 4 project sponsors Beta code released to beta testers on April, 2016 ◮ Only Python binding available at this time Version 0.9 released on May, 2016: http://keystone-engine.org ◮ More bindings by beta testers: NodeJS, Ruby, Go & Rust Version 0.9.1 released on July 27th, 2016 ◮ 2 more bindings: Haskell & OCaml 17 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  18. Keystone engine True framework ◮ Embedded into tool without resorting to external process Multi-arch ◮ X86, Arm, Arm64, Mips, PowerPC, Sparc, Hexagon, SystemZ Updated ◮ Keep up with latest CPU extensions Multi-platform ◮ *nix, Windows, Android, iOS, etc C++ core & multi-bindings ◮ Python, Ruby, Go, NodeJS, OCaml, Rust, Haskell Support various X86 undocumented instructions Compact & lightweight: 10x smaller than LLVM 18 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  19. Keypatch binary patcher for IDA 19 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  20. Keypatch Co-developed with Thanh Nguyen (VNSecurity.net) Open source IDA plugin http://keystone-engine.org/keypatch Tool for assembling & patching in IDA Built on top of Keystone assembler framework ◮ Version 1.0 released at BlackHat USA 2016, August 4th, 2016 ◮ Version 2.0 released on September 14th, 2016 ◮ Version 2.0.1 released on September 15th, 2016 20 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  21. Keypatch - Patcher 21 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  22. Keypatch - Fill Range 22 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  23. Keypatch - Assembler 23 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  24. Keypatch vs IDA’s built-in patcher More friendly ◮ Code preview ◮ Padding NOPs automatically ◮ Logging modifications ◮ Fill a range of selected code ◮ Assembler (do not modify) ◮ Revert (undo) Support 8 architectures ◮ Arm, Arm64, Hexagon, Mips, PowerPC, Sparc, SystemZ, X86 ◮ X86 support is fantastic Open source 24 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  25. Conclusions Keypatch is a superior binary patcher for IDA ◮ Multi-arch + multi-platform ◮ Feature-rich & friendly ◮ Open source Looking for new contributors for our open source projects ◮ Keypatch + Keystone engine ◮ Capstone engine + Unicorn engine 25 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  26. 26 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  27. References Keypatch: http://keystone-engine.org/keypatch Keystone assembler ◮ Homepage: http://keystone-engine.org ◮ Twitter: @keystone_engine ◮ Github: http://github.com/keystone-engine/keystone ◮ Mailing list: http://freelists.org/list/keystone-engine 27 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

  28. Questions and answers KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh <aquynh -at- gmail.com> 28 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro

Recommend

The Patcher Case Peter Kruse (pkr@csis.dk), Head of CSIS eCrime and Research &amp;

The Patcher Case Peter Kruse (pkr@csis.dk), Head of CSIS eCrime and Research &amp;

eCrime unit The Patcher Case Peter Kruse (pkr@csis.dk), Head of CSIS eCrime and Research &amp; Intelligence Unit PGP-ID: 0x715FB4BD eCrime unit Agenda Patcher What is Patcher? Patcher naming? Man in The Browser functions

290 views • 25 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal Hexadecimal to binary Hexadecimal to Decimal Binary addition Binary subtraction Binary shift Decimal to Binary 146d = ????????b 146/2

91 views • 7 slides
Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides
Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next assignment) DE DEPARTMENT OF OF COM OMPUTER S SCIENCE &amp; &amp; SO SOFTW TWARE RE E ENGINEERI RING PI PICN CNIC SA SATU TURD RDAY

709 views • 41 slides
Binary Search Trees A binary search tree is a binary tree T such that - each internal node

Binary Search Trees A binary search tree is a binary tree T such that - each internal node

AVL T REES Binary Search Trees AVL Trees AVL Trees 1 Binary Search Trees A binary search tree is a binary tree T such that - each internal node stores an item (k, e) of a dictionary. - keys stored at nodes in the left subtree of

547 views • 26 slides
Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2

Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2

Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2 child elements left child sorts less, right more, than parent tree has a depth tree has a balance, comparing depths of its left and right

305 views • 5 slides
Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is

Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is

Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is very similar to how you would add large decimal numbers in primary school It involves positioning the numbers such that the columns line up in their

562 views • 10 slides
Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each

Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each

Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each node contains: A value (some sort of data item) A reference or pointer to a left child (may be null ), and A reference or pointer to a

653 views • 14 slides
Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 +

Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 +

Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 + 3x1 = 7x10 2 + 2x10 1 + 3x10 0 Binary Numbers 5349 = 5x10 3 + 3x10 2 + 4x10 1 + 9x10 0 Binary Numbers Why base 10? Binary Numbers 257 (base 8)

1.23k views • 75 slides
Extending Binary Linear Classification One-Versus-All Classification (OVA) } In the presence of

Extending Binary Linear Classification One-Versus-All Classification (OVA) } In the presence of

Binary and Other Classification } We will generally discuss binary classifiers, which divide data into one of two classes } Linear classifiers as presented in last lecture are inherently binary, defining the classes based on two regions,

336 views • 7 slides
(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

Welcome back! In the last session, we started to look at computers and coding, and explored the computer language binary. Can anyone remember what binary code looks like? (Binary code is a series of digits, that are either ones or zeros.

402 views • 25 slides
/ + - * * 5 3 2 6 5 2 Examples Binary Trees BSTs Augmenting BinExpr General Trees

/ + - * * 5 3 2 6 5 2 Examples Binary Trees BSTs Augmenting BinExpr General Trees

Trees Readings: HtDP , sections 14, 15, 16. Topics: Introductory examples and terminology Binary trees Binary search trees Augmenting trees Binary expression trees General arithmetic expression trees Nested lists Examples Binary Trees

1.19k views • 31 slides
Objectives To design and implement a binary search tree (25.2). To represent binary trees

Objectives To design and implement a binary search tree (25.2). To represent binary trees

Chapter 25 Binary Search Trees Liang, Introduction to Java Programming, Tenth Edition, (c) 2013 Pearson Education, Inc. All 1 rights reserved. Objectives To design and implement a binary search tree (25.2). To represent binary trees

443 views • 18 slides
Definitions Binary Search Tree: n Tree: hierarchical structure made of nodes with father-son

Definitions Binary Search Tree: n Tree: hierarchical structure made of nodes with father-son

Advanced Programming Binary Search Tree Binary Search Tree Introduction Binary Search Tree, o BST implement dictionaries or ordered queues elements stored are ordered according to a key Efficient (log n) operations S EARCH , M INIMUM , M

362 views • 32 slides
Binary Search Trees and Balanced Binary Search Trees using AVL Trees Mark Redekopp David Kempe

Binary Search Trees and Balanced Binary Search Trees using AVL Trees Mark Redekopp David Kempe

1 CSCI 104 Binary Search Trees and Balanced Binary Search Trees using AVL Trees Mark Redekopp David Kempe Sandra Batista 2 Properties, Insertion and Removal BINARY SEARCH TREES 3 Binary Search Tree Binary search tree = binary tree

630 views • 61 slides
The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601. Its a very neat implementation of the binary tree idea, using an array. We can use the binary heap to sort an array, and we can use it to make a

304 views • 15 slides
Binary XML and its Characterization Robin Berjon, XML Prague, 25/06/2005 What is Binary XML?

Binary XML and its Characterization Robin Berjon, XML Prague, 25/06/2005 What is Binary XML?

Binary XML and its Characterization Robin Berjon, XML Prague, 25/06/2005 What is Binary XML? Its not XML not in XML syntax doesnt comply to the XML specifications cant give it to an XML parser, it wont work your

553 views • 23 slides
Trees Linear Vs non-linear data structures Types of binary trees Binary tree traversals

Trees Linear Vs non-linear data structures Types of binary trees Binary tree traversals

Trees Linear Vs non-linear data structures Types of binary trees Binary tree traversals Representations of a binary tree Binary tree ADT Binary search tree EECS 268 Programming II 1 Overview We have discussed linear

1.05k views • 76 slides
ECE 242 Data Structures Lecture 17 Binary Trees October 19, 2009 ECE242 L17: Binary Trees

ECE 242 Data Structures Lecture 17 Binary Trees October 19, 2009 ECE242 L17: Binary Trees

ECE 242 Data Structures Lecture 17 Binary Trees October 19, 2009 ECE242 L17: Binary Trees Overview Problem: How do we represent non-linear structures? Binary Tree Similar to a linked list except each node has two children

391 views • 9 slides
Fixed and Floating-point Numbers Eric McCreath Fractional binary numbers Remember how the

Fixed and Floating-point Numbers Eric McCreath Fractional binary numbers Remember how the

Fixed and Floating-point Numbers Eric McCreath Fractional binary numbers Remember how the meaning of the digits in a binary number is defined: Note the binary radix point For example, the binary number: means 2 Binary Converting a

449 views • 7 slides

More recommend